HIGH
accel/amdxdna HwCtx UAF
CVE-2026-45980
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Stop job scheduling across aie2_release_resource() Running jobs on a hardware context while it is in the process of releasing resources can lead to use-after-free and crashes. Fix this by stopping job scheduling before calling aie2_release_resource() and restarting it after the release completes. Additionally, aie2_sched_job_run() now checks whether the hardware context is still active.
02KernelScan AI Analysis
Risk summary
Local users with access to AMD XDNA AI accelerator hardware can trigger use-after-free conditions during hardware context destruction, potentially leading to kernel crashes or privilege escalation. The vulnerability affects systems with AMD AI accelerator cards and requires local access with device permissions.
Vulnerability analysis
The root cause is a race condition where job scheduling continues to run on a hardware context while aie2_release_resource() is destroying that context's resources. Jobs can access freed memory structures, causing use-after-free conditions. The fix implements proper synchronization by stopping the DRM scheduler before resource release, adding a status check in aie2_sched_job_run() to prevent execution on inactive contexts, and restarting the scheduler after cleanup completes. This requires local access to the AMD XDNA accelerator device file.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.15 | 6.15 | b79d31dce49b |
| 6.18 | 6.18.14 | 688c3ff079b1 |
| 6.19 | 6.19.4 | f1370241fe80 |
| mainline | 7.0 | — |